Security Alert: OpenSSL “Heartbleed” Bug

heartbleed bug icon

Several media outlets reported a serious vulnerability in OpenSSL 1.0.1 through 1.0.1f (inclusive) called “The Heartbleed Bug,” on April 7, 2014. This represents a serious Web security flaw that may compromise privacy. Please see the following news articles and websites which describe the issue in greater detail:

If you run a Web server with SSL (specifically OpenSSL 1.0.1 through 1.0.1f), it is  recommended that you patch the software immediately and upgrade to OpenSSL 1.0.1g. If you’re stuck with a previous version of OpenSSL for some reason, you can block the vulnerability by re-compiling it using the OPENSSL_NO_HEARTBEATS flag. OpenSSL 1.0.2 will have the bug fixed in the upcoming 1.0.2-beta2 release. If you do not know what version of SSL you are running, go to https://sslanalyzer.comodoca.com and enter your site’s URL to find out if the site is vulnerable.

Additionally, if you have contracted with any vendors who use SSL, please contact them immediately to find out if they have applied the current patches and to find out what other steps may be required.

One of the side effects of this vulnerability is that the server private key may be compromised and there may be no trace of it. In this case, after patching, please generate new keypairs and request a new certificate. DoIT will provide a new Comodo/Incommon certificate to its Stony Brook IT Partners at no cost if they just email the CSR to certreq@stonybrook.edu.

DoIT is actively monitoring the situation here at Stony Brook and has contacted its vendors about any vendor-supplied software.

Stony Brook’s SOLAR, PeopleSoft, Blackboard, and Google Apps for Education systems are not affected by this vulnerability. Other systems accessed with your Stony Brook NetID and NetID password are not affected.

Individual users may want to consider changing the passwords on all their sensitive Internet accounts, such as banking accounts, private email accounts, and any accounts created for online shopping with the use of credit card information. However, the New York Times Bits blog suggests waiting a day or two to allow time for websites to get patched.

DoIT has created a public Yammer group to provide the campus community with updates as this situation unfolds and develops. Please post your questions and comments to the Heartbleed Bug Info Yammer group.